Security researchers have discovered samples of the banking Trojan Emotet in circulation. The new sample malware has the ability to internally propagate using credential brute force techniques. The latest evolution of the Trojan suggests the actors behind the campaign may have been inspired by the Wannacry and NotPetya malware attacks that leveraged worm capabilities in order to spread rapidly across networks. It stands to reason that crimeware authors have taken note of the broad impact observed in these particular events and are looking to incorporate spreader components in their toolkits. The Wannacry and Petya campaigns have clearly demonstrated how inclusion of other techniques like credential dumpers (Mimikatz) and exploits (EternalBlue) can greatly accelerate propagation across enterprises.
Security researchers started to suspect that some versions of Emotet became wormable over a month ago. Further research yielded the discovery of a self-extracting RAR file containing two files, including a “spreader bypass” component. This component is responsible for enumerating network resources to find shares that it can write to or trying to brute credentials so it can write. After finding available systems it then writes the service component and creates a service on the remote system.
Because the spreader package in the newer, wormable Emotet variant is not wrapped in the manner that traditional versions are, researchers theorize that this package may not actually be a direct component of Emotet, but rather something that is delivered by one specific threat actor using the Trojan malware.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street